This question is an exact duplicate of:
The login web page of my website is not secure, whenever typing a username or password on the login page in firefox I get a dialog box saying:
The connection is not secure. Logins entered here could be compromised.
Should I try prepared statements, or is there another issue? Sorry this is a broad question, but I'm not all too familiar with web security.
Here's my login page code:
<?php
include("connect.php");
include('PHPMailer/PHPMailer-master/examples/gmail_xoauth.phps');
if (isset($_POST['createaccount'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$email = $_POST['email'];
if (!connect::query('SELECT username FROM accounts WHERE username=:username', array(':username'=>$username))) {
if (strlen($username) >= 3 && strlen($username) <= 32) {
if (preg_match('/[a-zA-Z0-9_]+/', $username)) {
if (strlen($password) >= 6 && strlen($password) <= 60) {
if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
if (!connect::query('SELECT email FROM accounts WHERE email=:email', array(':email'=>$email))) {
connect::query('INSERT INTO accounts VALUES (null, :username, :password, :email, \'0\')', array(':username'=>$username, ':password'=>password_hash($password, PASSWORD_BCRYPT), ':email'=>$email));
gmail_xoauth::sendMail('Welcome to the Website!', 'Your account has been created!', $email);
echo "<h3 class = 'errmessage'>Success!</h3>";
} else {
echo '<h3 class = "errmessage">Email already in use!</h3>';
}
} else {
echo '<h3 class = "errmessage">Invalid email!</h3>';
}
} else {
echo '<h3 class = "errmessage">Invalid password, at least 6 characters!</h3>';
}
} else {
echo '<h3 class = "errmessage">Invalid username, at least 3 characters</h3>';
}
} else {
echo '<h3 class = "errmessage">Invalid username</h3>';
}
} else {
echo '<h3 class = "errmessage">User already exists!</h3>';
}
}
if (isset($_POST['login'])) {
$username = $_POST['username'];
$password = $_POST['password'];
if (connect::query('SELECT username FROM accounts WHERE username=:username', array(':username'=>$username))) {
if (password_verify($password, connect::query('SELECT password FROM accounts WHERE username=:username', array(':username'=>$username))[0]['password'])) {
$cstrong = True;
$token = bin2hex(openssl_random_pseudo_bytes(64, $cstrong));
$user_id = connect::query('SELECT id FROM accounts WHERE username=:username', array(':username'=>$username))[0]['id'];
connect::query('INSERT INTO users VALUES (null, :token, :user_id)', array(':token'=>sha1($token), ':user_id'=>$user_id));
setcookie("SNID", $token, time() + 60 * 60 * 24 * 7, '/', NULL, NULL, TRUE);
setcookie("SNID_", '1', time() + 60 * 60 * 24 * 3, '/', NULL, NULL, TRUE);
setcookie("username", $username, time()+3600);
header("Location: home.php");
} else {
echo '<h3 class = "errmessage">Incorrect Password!Try again</h3><br><br><br>';
}
} else {
echo '<h3 class = "errmessage">User not registered!Try again</h3><br><br><br>';
}
}
?>
Here's the connect.php file:
<?php
class connect
{
private static function db()
{
$pdo = new PDO('mysql:host=localhost;dbname=database_name;charset = utf8','username','password');
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
return $pdo;
}
public static function query($query,$params = array())
{
$statement = self :: db()->prepare($query);
$statement->execute($params);
if(explode(' ',$query)[0] == 'SELECT')
{
$data = $statement->fetchAll();
return $data;
}
}
}
?>
</div>
This is due to you having a password field on a non TLS page meaning your page is served over http not https. You can learn more about the Firefox side of that here and Mozilla's note to developers here. This can be fixed by adding an SSL certificate to your server.
Some certificates cost money but you can look into Let's Encrypt for free certificates. The main difference between the paid certs and Let's Encrypt certs are the length of validity. At the time of writing they are only good for 3 months however there are tools to automate the renewal.
Firefox added this warning for form elements on pages that are not served using HTTPS that it determines are for sensitive information. This went live in Firefox 52. See this Mozilla blog post and this Mozilla support page for more information.